From owner-freebsd-security Tue Feb 18 03:24:28 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA27793 for security-outgoing; Tue, 18 Feb 1997 03:24:28 -0800 (PST) Received: from eel.dataplex.net (eel.dataplex.net [208.2.87.2]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA27771; Tue, 18 Feb 1997 03:24:19 -0800 (PST) Received: from [208.2.87.3] (shrimp [208.2.87.3]) by eel.dataplex.net (8.7.5/8.6.9) with ESMTP id FAA06842; Tue, 18 Feb 1997 05:24:16 -0600 (CST) X-Sender: rkw@mail.dataplex.net Message-Id: In-Reply-To: <199702171819.TAA02087@vector.jhs.no_domain> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 18 Feb 1997 05:17:47 -0600 To: "Julian H. Stacey" From: Richard Wackerbarth Subject: Re: I guess we need to read all code, not just SUID stuff ! Cc: security@freebsd.org Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >I'm hoping to be told I'm wrong below, >I'll be disappointed (& others more so) if I'm right :-) ..... > >Ref. the the freefall break in, & the planting of trojans, in bin path, >& possible planting of trojans in src/ >& intention to read code for manipulation ... > >We presumably don't need to just read the SUID stuff, >we need to read all 120M of src/ :-( Although it is certainly a good idea to review all the source code, an uncompromised archive of the ctm's does provide a shortcut because it is a sequence of "diff"s. If you assume that the source free from trojans on Date X, you need only look at the changes since then. You might be able to "read" the deltas directly or you could at least use them as a filter to eliminate all the programs which have had no changes at all. Unfortunately, "Date X" might be, (something, I'm not up on classical history) BC :-( The full audit needs to be done periodically as a safety precaution.